Google Cloud’s Office of the CISO and Mandiant published a report, ‘Security Guidance for Cloud-Enabled Hybrid Operational Technology Networks,’ outlining tactical measures to safeguard manufacturing and energy sector OT (operational technology) systems as cloud adoption accelerates. The guidance addresses the growing integration of IT and OT environments, highlighting how cloud platforms can drive operational efficiency, enable AI-powered digital immune systems, and support secure hybrid manufacturing networks. Aimed at organizations regardless of cloud provider, the report focuses on actionable steps to strengthen defenses while ensuring safe, resilient operations in increasingly connected industrial environments.
“The rapidly evolving manufacturing and industry threat landscape further exacerbates the complexity of manufacturing security and necessitates a holistic approach to security that addresses IT, OT, product engineering, and supply chain security,” the Google Cloud report detailed. “A broad spectrum of bad actors, ranging from state-sponsored advanced persistent threats (APTs) to hacktivists to financially motivated ransomware groups, target this space. And recent data suggests that the manufacturing sector is one of the most targeted global sectors. In the context of manufacturing processes, vulnerability exploitation is a top vector, followed by others such as insecure and inadvertent exposure to the internet, weak identity and access management (IAM), and lack of segmentation.”
It also pointed out that multiple recent incidents indicate that the impact on the manufacturing process can be direct or indirect. “A direct impact would be due to a targeted attack on the manufacturing processes, operations, and systems – IT or OT. An indirect impact would be due to an attack on enterprise IT systems, including enterprise resource planning (ERP) and manufacturing execution system (MES), that may force the organization to shut down the manufacturing processes/operations. Irrespective of the nature of the incident, any direct, indirect, or perceived threats to the production systems could have direct safety, security, productivity, availability, and reliability implications on the manufacturing processes and the overall business operations.”
Additionally, the increase in Software as a Service (SaaS) offerings from OT application vendors and the opportunity to use secure cloud infrastructure offer a significant opportunity.
Highlighting the evolution of hybrid OT networks, the Google Cloud paper identified that in a security-centric, traditional OT architecture, there are physical and logical security controls between each level and between systems within the levels of industrial or manufacturing zones. “Adhering to the IEC 62443 standard and NIST 800-82 guidance, the secure means of facilitating the communications across the OT architecture is by using zones and conduits.”
To significantly bolster security-inclusive OT operations, the report highlighted that it is crucial to implement security-focused leading practices. These include deploying dedicated network services, separate from enterprise networks, with OT-specific IAM and dedicated OT network services. This should be combined with monitoring, segmentation, role-based access controls (RBAC), granular firewall rules, and a secure and encrypted unidirectional connection from the OT to the virtual private cloud (VPC).
Recognizing that a modern cloud or cloud-embracing environment builds upon the traditional on-premises architecture, the Google Cloud paper said that this “presents an opportunity for OT process owners and pertinent business owners to migrate on-premises computing and data management infrastructure to Google Cloud without impacting local controls. At the start of any transformation or change, the business and engineering teams should evaluate the direct impacts and value to the business objectives.”
It added that cloud services can simplify efforts and streamline processes across manufacturing optimization, business intelligence, cybersecurity, and other business avenues. Using cloud services does not change the fundamental security principle of ensuring secure, safe, reliable, and resilient operations with high availability.
Operational and tactical approaches to secure OT networks rely on various security processes, controls, hardening, and strategic placement of tools and services across the network and systems. To achieve a scalable defense-in-depth approach, fundamental enforcers – such as up-to-date planning and operational network architectures, information flow discoveries and definitions, systems interconnections coupled with the physical inventory – are needed for an operational-level understanding of the system-to-system operational and data dependencies.
The engineering teams should continue on this journey to enumerate industrial control system ICS/OT protocols used, direction of read/write tags across their supervisory control and data acquisition (SCADA), distributed control system (DCS), historian, and open platform communications (OPC) servers; expected controller commands; function codes between components and applications; and other PERA levels 0-2 components within their network. Then, systems and their communication paths should be overlayed with assigned protection levels for each system or subsystem during inventory activities to help determine the security controls needed to protect and defend the systems without compromising or degrading their performance.
The Google Cloud report added that the checklists leverage best practices from zero-trust principles, NIST 800-82, and IEC 62443, and they are intended to serve as guidance for on-premises and hybrid (cloud-connected) OT environments.
Organizations should approach hybrid architecture security from two fronts: on-premises OT security and secure cloud operationalization for OT. They must focus on delivering operational and tactical security considerations for security and engineering teams across those two fronts. The security and engineering teams can tactically use the architectural guidance in this document to achieve secure on-premises architectures and leverage Google Cloud products and services, including the built-in/integrated security suite, for a holistic hybrid network security.
The Google Cloud report urges organizations to maintain a current inventory of OT assets and their connections within and across trust zones, establish hard-restart recovery plans, ensure cyber-physical modularity through segmentation, and limit unnecessary OT exposure to the internet.
The guidance advocates for manual operations of the most critical systems as a backup option in case of catastrophic failures, a defense-in-depth architecture, reproducible software and hardware processes, regular maintenance and testing, comprehensive incident response and recovery policies, thorough safety and security testing, and transparent supply chain management.
Additionally, the report outlines a strategic approach to secure hybrid cloud adoption. Organizations should focus on both on-premises OT security and operationalizing a secure cloud environment for OT. Tactical considerations are provided for security and engineering teams to establish secure on-premises architectures and utilize Google Cloud products and services for comprehensive hybrid network security.
The Google Cloud paper comes as global cybersecurity agencies published new guidance to help OT owners and operators across critical infrastructure sectors create and maintain comprehensive OT asset inventories and taxonomies. The document outlines the process to create an OT asset inventory, develop a taxonomy of OT systems, and create a modern defensible architecture by providing net defenders with digestible foundational elements and best practices. This is critical as OT systems are vital to the core functionality of the nation’s critical infrastructure to operate by powering process automation, instrumentation, cyber-physical operations, and ICS.
